Poor HR leaves firms open to security risks

'Employee education gap' putting employers and employees in danger.

Small UK businesses are leaving themselves vulnerable to unnecessary IT security risks because of poor human resources practices, it was claimed today.

A poll of over 1,000 SMEs (50-250 employees) across Europe conducted by McAfee found that only 32 percent have IT security as an aspect of employee induction.

The research indicated that the UK leads the induction drive, and that British businesses are the most likely to hold induction sessions for all employees.

However, more than a third of businesses in France and Italy do not have inductions for all employees.

Some 70 percent of respondents believe that employers are more sensitive to the risks associated with new employees than they were three years ago.

However, only 39 percent of businesses have guidelines for employees on email content/language, 28 percent for the use of portable storage devices and 23 percent for laptop use.

In the majority of cases where security issues are raised, most businesses feel that the end user is more culpable than the employer, highlighting serious implications for employee and employer liability.

For example, 55 percent felt that an employee should be held responsible for a personal email that spreads a virus on the company network.

Similarly a stolen laptop is also seen as the responsibility of the employee by 67 percent of respondents.

The research warned that current approaches may be "misguided" in terms of culpability for security breaches.

Although employee actions may result in security breaches, the employer is often ultimately responsible for the processes and conditions that surround security incidents.

Greg Day, security analyst at McAfee, said: "While many businesses make a priority of employee induction, many are failing effectively to cover a major part of any employees working life: their PC and internet usage policies.

"Companies are failing to capture the opportunity presented by new starters to instil a sense of vigilance and security into the workforce.

"This oversight, coupled with a clear lack of enforcement, increases the risk of new employees consciously or inadvertently breaching corporate security protocols."

Typically, inductions are shortest in Germany where 36 percent of businesses complete full HR inductions in fewer than three hours.

At the other end of the spectrum, Spanish inductions are most likely to take more than two days (32 percent of respondents), while UK and French businesses strike a balance at half a day.

Billy Hamilton Stent, a director at consultancy LoudHouse Research which undertook the study, said: "The induction process provides an ideal opportunity to engender a vigilant response to information security for end users. 

"It is not a case of issuing a list of dos and don'ts, but more a process of establishing trust, security and clear working procedures that reduce employee and employer risk. It is unfortunate that only a minority of businesses see it in this way."

Copyright ©v3.co.uk